Close all 25 codex audit findings and add KMP contract tests

Remediate all P0-S priority findings from cross-platform architecture audit:
- Add input validation and authorization checks across handlers
- Harden social auth (Apple/Google) token validation
- Add document ownership verification and file type validation
- Add rate limiting config and CORS origin restrictions
- Add subscription tier enforcement in handlers
- Add OpenAPI 3.0.3 spec (81 schemas, 104 operations)
- Add URL-level contract test (KMP API routes match spec paths)
- Add model-level contract test (65 schemas, 464 fields validated)
- Add CI workflow for backend tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/handlers/notification_handler.go

@@ -149,6 +149,33 @@ func (h *NotificationHandler) ListDevices(c echo.Context) error {
 	return c.JSON(http.StatusOK, devices)
 }
 
+// UnregisterDevice handles POST /api/notifications/devices/unregister/
+// Accepts {registration_id, platform} and deactivates the matching device
+func (h *NotificationHandler) UnregisterDevice(c echo.Context) error {
+	user := c.Get(middleware.AuthUserKey).(*models.User)
+
+	var req struct {
+		RegistrationID string `json:"registration_id"`
+		Platform       string `json:"platform"`
+	}
+	if err := c.Bind(&req); err != nil {
+		return apperrors.BadRequest("error.invalid_request")
+	}
+	if req.RegistrationID == "" {
+		return apperrors.BadRequest("error.registration_id_required")
+	}
+	if req.Platform == "" {
+		req.Platform = "ios" // Default to iOS
+	}
+
+	err := h.notificationService.UnregisterDevice(req.RegistrationID, req.Platform, user.ID)
+	if err != nil {
+		return err
+	}
+
+	return c.JSON(http.StatusOK, map[string]interface{}{"message": "message.device_unregistered"})
+}
+
 // DeleteDevice handles DELETE /api/notifications/devices/:id/
 func (h *NotificationHandler) DeleteDevice(c echo.Context) error {
 	user := c.Get(middleware.AuthUserKey).(*models.User)